Key Performance Indicators Information Security

All,


I am currently establishing a set of key performance indicators for our
security office and while looking around for general practices etc I get
the impression there is not much available out there. (or did I look in
the wrong places? ) Anybody has some feedback or online resources on
KPI's within Information Security?

-steven

Steven,

You are correct that information security metrics are still a rather  
nascent. Good starting points for research are NIST SP800-55 [1] and  
the Corporate Information Security Working Group report from 2004  
[2]. I would expect ISO/IEC27004 to provide additional authoritative  
guidance, though its release is still a ways off. In addition, I put  
together a short write-up of some of the challenges I have  
experienced building security metrics programs; you might find it  
helpful[3].

Good luck!

-Dennis Opacki, CISSP QDSP

[1] http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf
[2] http://www.cisecurity.org/Documents/ 
BPMetricsTeamReportFinal111704Rev11005.pdf
[3] http://www.infosecwriters.com/text_resources/pdf/BU_Scorecards.pdf


On Jun 3, 2006, at 10:48 PM, Salaets, Steven wrote:

if you can get hold on the ISO 27004 document, it is a good guideline on how to establish KPIs based on the BS7799 standard

Muhamand Wilkes <m_wilkes@...> wrote:

Number of Confirmed Incidents is a good metric, and a compliance percentage against the latest (or most common) vulnerabilities is another.

Muhamand Wilkes

CENTCOM 160th Sig BDE IAD (Contractor)

"That boy was a genius, booked the number wit out paper or pencil."
-Richard Pryor

 

---

From: "Salaets, Steven" <steven.salaets@...>
To: <security-management@...>
Subject: Key Performance Indicators Information Security
Date: Sat, 3 Jun 2006 22:48:31 -0700
MIME-Version: 1.0
Received: from outgoing.securityfocus.com ([205.206.231.26]) by bay0-mc9-f11.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 6 Jun 2006 17:17:32 -0700
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for bay0-mc9-f.bay0.hotmail.com [65.54.245.8]) with ESMTP; Tue, 6 Jun 2006 17:10:53 -0700
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with SMTP id 351C514F74Cfor <m_wilkes@...>; Tue, 6 Jun 2006 17:45:28 -0600 (MDT)
Received: (qmail 11757 invoked by alias); 7 Jun 2006 01:03:01 -0000
Received: (qmail 11894 invoked from network); 4 Jun 2006 06:37:49 -0000
All,


I am currently establishing a set of key performance indicators for our
security office and while looking around for general practices etc I get
the impression there is not much available out there. (or did I look in
the wrong places? ) Anybody has some feedback or online resources on
KPI's within Information Security?

-steven

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

www.securitymetrics.org is a great resource for this topic. Andy Jaquith is
writing a book on the subjhect and has some very inciteful comments in his
draft chapters that are online.

-----Original Message-----
From: Dennis Opacki [mailto:dopacki@...]
Sent: Tuesday, June 06, 2006 9:23 PM
To: Salaets, Steven
Cc: security-management@...
Subject: Re: Key Performance Indicators Information Security

Steven,

You are correct that information security metrics are still a rather
nascent. Good starting points for research are NIST SP800-55 [1] and the
Corporate Information Security Working Group report from 2004 [2]. I would
expect ISO/IEC27004 to provide additional authoritative guidance, though its
release is still a ways off. In addition, I put together a short write-up of
some of the challenges I have experienced building security metrics
programs; you might find it helpful[3].

Good luck!

-Dennis Opacki, CISSP QDSP

[1] http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf
[2] http://www.cisecurity.org/Documents/
BPMetricsTeamReportFinal111704Rev11005.pdf
[3] http://www.infosecwriters.com/text_resources/pdf/BU_Scorecards.pdf


On Jun 3, 2006, at 10:48 PM, Salaets, Steven wrote:

In our organization, the Info Sec office develops the policies / rules as
to how those product need to work. The IT department implements those
rules. The Info Sec Office is also consider tier 3 support, meaning we get
involved during an incident, but do not participate in the data to day
operations.

kathy



                                                                           
             "Serge                                                        
             Vondandamo"                                                  
             <serge.vondandamo                                          To
             @wanadoo.fr>              <security-management@securityfocus.
                                       com>                                
                                                                        cc
             Thu 06/08/2006                                                
             10:46 PM                                              Subject
                                       Do Security Department owns and    
                                       operates security infrastructure?  
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi Security Managers,



I will like to know if Security department do own and operates Security
systems such as FW, IDS, AV, logging systems.

How is it done in your organisations? Who operate these systems, security
folks or IT operations folks?



Thanks,

Serge




(See attached file: C.htm)
                                                                                 
                                                                                 
                                                                                 
                                                                                 
                                                                                 
                                                                                 
                                                                                 
                                                                                 
                                                                                 

Kathy,

Could you please elaborate on "getting involved" ? Does that mean you have privledged system access
to FW, IDS, etc...

Jay

----- Original Message -----
From: kathy.kirk@...
To: serge.vondandamo@...
Cc: security-management@...
Sent: Mon, 12 Jun 2006 09:08:01 -0400
Subject: Re: Do Security Department owns and operates security infrastructure?

In our organization, the Info Sec office develops the policies / rules as
to how those product need to work. The IT department implements those
rules. The Info Sec Office is also consider tier 3 support, meaning we get
involved during an incident, but do not participate in the data to day
operations.

kathy



                                                                           
             "Serge                                                        
             Vondandamo"                                                  
             <serge.vondandamo                                          To
             @wanadoo.fr>              <security-management@securityfocus.
                                       com>                                
                                                                        cc
             Thu 06/08/2006                                                
             10:46 PM                                              Subject
                                       Do Security Department owns and    
                                       operates security infrastructure?  
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi Security Managers,



I will like to know if Security department do own and operates Security
systems such as FW, IDS, AV, logging systems.

How is it done in your organisations? Who operate these systems, security
folks or IT operations folks?



Thanks,

Serge




(See attached file: C.htm)